"when the UK's British Telecom's Prestel text message service was attacked."
Doing something about it took about another decade with Project Argent, if memory serves. It was a box ticking exercise.
I got involved and the reviewer of my report turned out to have a background in security. Physical security. It was a farce. One of the questions, presumably a bit of arse covering from higher up asked the reporter to confirm that the applications had no undocumented functionality or words along those lines. I think it was probably intended to deal with the situation where some departed dev. left a little time-bomb to require payment to keep it going*. I refused to tick that box. When this was challenged I suggested they ask BT procurement to say whether they thought Microsoft would provide that assurance. The requirement was dropped when procurement replied.
Systems in use got a desultory review as a consequence. Departments had to appoint a security officer. It was about the time I left - the whole project was the sort of thing that got dumped on someone who was leaving - but came back on contract to cover, as someone with no particular security background, for the appointee, also with no particular security background, to return from sick leave to take up the post.
The major weakness was obvious. We could review out own code. We could have consultants come and review out own code if manglement felt we weren't up to it. Our own code could be reviewed to the Nth degree. Everything else - OSes, RDBMSes, whatever had to be taken on trust.
AFAICS the only difference between then and now is that the situation is far worse in terms of supply chain vulnerability. Outsourcing has made it worse. Growth in system complexity has made it worse. Network connectivity has made it worse. Why, for example, do organisations have to buy in a file transfer package which, from reports, simply seems to just wrap up FTP, something any admin ought to be able to do, and at the same time provide its own extended attack surface?
* There was something close in an accounts package that would make payment demands to any user as licence renewal came up.